Notes on IT (mainly Microsoft)

Adding Users to AD LDS (ADAM) Readers Role

leave a comment »

There are three default Roles (groups) in an application partition in an AD LDS (ADAM) instance:

  • Administrators
  • Readers
  • Users

Let’s look the permissions of the Readers role (the application partition here is o=msft) using the Security UI in ldp.exe:

or using dsacls.exe:

The Readers role is empty by default, individual users or groups within AD LDS can be added by distinguishedName to the member attribute of the group.

The following ldf adds (nests) the Users role in AD LDS into the Readers role:

dn: CN=Readers,CN=Roles,O=msft
changetype: modify
add: member
member: CN=Users,CN=Roles,O=msft

placed in a file UserstoReaders.ldf and imported with

ldifde -i -f UserstoReaders.ldf -s localhost:389

from a command prompt on the AD LDS instance with the instance running on port 389.
As a result all AD LDS users would have Readers permission on the instance.

If we want to allow Windows/Domain users that can authenticate to the AD LDS instance to have Readers permissions then we can add the security identifier for Authenticated Users (SID: S-1-5-11) to the group as with the following ldf

dn: CN=Readers,CN=Roles,O=msft
changetype: modify
add: member
member:: PFNJRD1TLTEtNS0xMT4=

The Base64 encoding of the member attribute is explained here.


Written by adamsync

May 23, 2012 at 22:27

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: